[bug #65009] wget refuses to use legitimate self signed CAs provided with the --ca-certificate flag

[anonymous]

URL:
  <https://savannah.gnu.org/bugs/?65009>

                 Summary: wget refuses to use legitimate self signed CAs
provided with the --ca-certificate flag
                   Group: GNU Wget
               Submitter: None
               Submitted: Mon 11 Dec 2023 02:53:19 PM UTC
                Category: Program Logic
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: David Hadas
        Originator Email: david.hadas@gmail.com
             Open/Closed: Open
                 Release: None
         Discussion Lock: Any
        Operating System: Mac OS
         Reproducibility: Every Time
           Fixed Release: None
         Planned Release: None
              Regression: None
           Work Required: None
          Patch Included: None


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Mon 11 Dec 2023 02:53:19 PM UTC By: Anonymous
Release: 1.21

---

Using mTLS with self signed certificates with various tools, it seems wget
misbehaves and does not add a legitimate self signed CA provided with the
--ca-certificate flag to the ca pool used internally.
(I expect that the same issue exists with TLS). 

The CA pem is legitimate and well structured as it is used successfully with
other tools: (1) curl (see below), (2) standard go client and server. 
  
Wget indicates "Self-signed certificate encountered" as an output although the
CA pem is provided using --ca-certificate 
Wget provides the same response with and without the --ca-certificate... 

---

Here is an example:
% ./hack/ping.sh

Connect to remote server using mTLS and self signed certificates

Try Curl:

+ curl
https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
--key prk.pem --cert cert.pem --cacert ca.pem
                                <<< Response from the server
Hello little client,            <<< Response from the server
happy to serve you today        <<< Response from the server
                                <<< Response from the server
+ set +x  

Try Wget:

+ wget
https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
--private-key prk.pem --certificate cert.pem --ca-certificate ca.pem
--2023-12-09 08:43:37-- 
https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud/
Resolving
myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
(myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud)...
169.63.244.138
Connecting to
myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
(myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud)|169.63.244.138|:443...
connected.
ERROR: cannot verify
myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud's
certificate, issued by ‘CN=test,O=test.research.ibm.com’:
  Self-signed certificate encountered.
To connect to
myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
insecurely, use `--no-check-certificate'.
+ set +x

---


Example running with debug mode:
% ./hack/ping.sh

Connect to remote server using mTLS and self signed certificates

Try Curl:

+ curl -v
https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
--key prk.pem --cert cert.pem --cacert ca.pem
*   Trying 169.63.244.138:443...
* Connected to
myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
(169.63.244.138) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: ca.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Request CERT (13):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Certificate (11):
* (304) (OUT), TLS handshake, CERT verify (15):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: O=test.research.ibm.com; CN=test
*  start date: Dec  9 06:42:29 2023 GMT
*  expire date: Jan  8 06:42:29 2024 GMT
*  subjectAltName: host
"myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud"
matched cert's
"myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud"
*  issuer: O=test.research.ibm.com; CN=test
*  SSL certificate verify ok.
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority:
myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud]
* h2 [:path: /]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x147811e00)
> GET / HTTP/2
> Host:
myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
> User-Agent: curl/8.1.2
> Accept: */*
>
< HTTP/2 200
< content-type: text/plain; charset=utf-8
< content-length: 51
< date: Sat, 09 Dec 2023 06:53:45 GMT
<

Hello little client,
happy to serve you today

* Connection #0 to host
myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
left intact
+ set +x

Try Wget:

+ wget -d
https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
--private-key prk.pem --certificate cert.pem --ca-certificate ca.pem
Setting --private-key (privatekey) to prk.pem
Setting --certificate (certificate) to cert.pem
Setting --ca-certificate (cacertificate) to ca.pem
DEBUG output created by Wget 1.21.4 on darwin22.4.0.

Reading HSTS entries from /Users/davidhadas/.wget-hsts
URI encoding = ‘UTF-8’
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2023-12-09 08:53:45-- 
https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud/
Resolving
myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
(myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud)...
169.63.244.138
Caching
myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
=> 169.63.244.138
Connecting to
myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
(myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud)|169.63.244.138|:443...
connected.
Created socket 5.
Releasing 0x0000600003c62480 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 5 to SSL handle 0x0000000143008200
certificate:
  subject: CN=test,O=test.research.ibm.com
  issuer:  CN=test,O=test.research.ibm.com
ERROR: cannot verify
myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud's
certificate, issued by ‘CN=test,O=test.research.ibm.com’:
  Self-signed certificate encountered.
To connect to
myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
insecurely, use `--no-check-certificate'.
Closed 5/SSL 0x0000000143008200
+ set +x

---

% wget --version
GNU Wget 1.21.4 built on darwin22.4.0.

-cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls 
+ntlm +opie -psl +ssl/openssl 

Wgetrc: 
    /opt/homebrew/etc/wgetrc (system)
Locale: 
    /opt/homebrew/Cellar/wget/1.21.4/share/locale 
Compile: 
    clang -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/opt/homebrew/etc/wgetrc" 
    -DLOCALEDIR="/opt/homebrew/Cellar/wget/1.21.4/share/locale" -I. 
    -I../lib -I../lib -I/opt/homebrew/opt/openssl@3/include 
    -I/opt/homebrew/Cellar/libidn2/2.3.4_1/include -DNDEBUG -g -O2 
Link: 
    clang -I/opt/homebrew/Cellar/libidn2/2.3.4_1/include -DNDEBUG -g 
    -O2 -L/opt/homebrew/Cellar/libidn2/2.3.4_1/lib -lidn2 
    -L/opt/homebrew/opt/openssl@3/lib -lssl -lcrypto -ldl -lz 
    ../lib/libgnu.a -liconv -lintl -Wl,-framework -Wl,CoreFoundation 
    -lunistring 

Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
Please send bug reports and questions to <bug-wget@gnu.org>. 







    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?65009>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/